The Infostealer Lifecycle: From 0 to 48 Hours
48 hours. That's how long it takes for your employee's credentials to go from an infected laptop to an underground marketplace — and into the hands of a ransomware operator.
Whiteintel Team
Intelligence Division
Database breaches get discovered weeks or months after they happen. Forensic teams spend days reconstructing what occurred. Affected users get notified eventually. Infostealers work faster.
An employee downloads cracked software on Tuesday afternoon. By Thursday morning, their credentials are listed on Russian Market for $15. Corporate VPN access, AWS credentials, session tokens that bypass MFA — all packaged and ready for purchase.
The infection happens outside your network. The harvest takes minutes. The monetization is complete before your security team would typically detect anything unusual.
Hour 0–2
Infection
Hour 2–12
Harvest
Hour 12–24
Package
Hour 24–48
Marketplace
Hour 48+
Exploitation
The Infection Vector
The infection begins outside your security perimeter. An employee downloads what appears to be legitimate software. A contractor clicks a malicious ad. A developer installs a cracked plugin.
Common Distribution Methods
Cracked software remains the primary infection vector. Productivity tools like Adobe Creative Suite, Microsoft Office, and development IDEs are packaged with infostealer payloads. Gaming cheats and "free" premium software attract users looking to bypass licensing costs.
Malvertising campaigns target users through legitimate advertising networks. Threat actors purchase ad space on popular websites, redirecting victims to fake download pages hosting malware.
YouTube tutorials promise free tools, hacks, or workarounds. The video description contains links to infected executables. Users following along install the malware while attempting to replicate the tutorial.
Supply chain compromises embed infostealers in legitimate software updates or third-party libraries, reaching users who would never intentionally download suspicious files.
Active Infostealer Families
Most prevalent in 2024, surpassing RedLine. Offered as MaaS with advanced anti-detection, targeting browser credentials, crypto wallets, and auth tokens. Dominance grew as operators continuously updated evasion techniques.
Remained widely deployed despite law enforcement action in October 2024 (Operation Magnus). Priced at $100–200/month, extracts credentials from 80+ applications including browsers, FTP clients, email, and messaging apps.
Focuses on cryptocurrency wallet theft with broad credential harvesting. Returned as v2 in 2023 after its developer's arrest, continuing to operate through 2024.
Pay-per-install model distributed through cracked software and malicious ads. Extracts browser data, crypto wallets, and system information before exfiltrating to attacker-controlled servers.
Infections increased 376% between Q1 and Q3 2024, with over 80,000 logs appearing on Russian Market during this period.
The infection itself takes seconds. Modern infostealers are designed for speed and stealth — they execute, harvest data, and often self-delete within minutes of initial infection, before traditional antivirus or EDR solutions detect anomalous behavior.
The Harvest
Once executed, the infostealer extracts data systematically. Browser credentials stored in SQLite databases. Session cookies that remain valid for weeks. VPN configurations. SSH keys. Cryptocurrency wallets. Every saved password, every active session, every piece of authentication data the user accumulated over months or years of browsing.
Browser Credentials
- All saved passwords across Chrome, Firefox, Edge, Opera
- Credentials for SSO portals, cloud services, banking
- Browser master password if available
Session Cookies & Tokens
- Active auth sessions — bypass MFA entirely
- Cookies valid for days or weeks after harvest
- Average log contains 10–25 business app credentials
Application Data
- FTP clients, email clients, messaging apps
- VPN configurations, SSH private keys
- Cloud service credentials from config files
High-Value Targets
- Cryptocurrency wallets, seed phrases, private keys
- System info: IP, geolocation, hardware specs
- Autofill: names, addresses, credit card data
Browser credentials live in SQLite databases within user profile directories. The stealer copies these databases, extracts the encrypted credentials, and decrypts them using keys stored elsewhere in the system. Session cookies are simpler — already decrypted and ready to use.
The Package
The harvested data doesn't get sold as raw database files. It's packaged, categorized, and formatted for buyers. Each "log" — the industry term for a package of stolen data from a single infection — is compressed, uploaded, and in some cases automatically parsed for searchability.
What a Typical Log Contains
Quality Tiers
Not all logs are equal. Marketplaces categorize logs by value:
Corporate infrastructure (VPN, AWS, Azure, admin panels), crypto wallets with confirmed balances, banking credentials. Command premium prices.
Credentials for popular services (streaming, e-commerce, social media) or business applications without obvious financial access.
Primarily consumer credentials with limited monetization potential.
The Marketplace
By this point, the stolen credentials are for sale.
Primary Marketplaces
Russian Market operates as one of the largest infostealer log marketplaces. As of early 2024, it contained over 17 million stolen credentials with daily uploads from multiple infostealer families. The platform offers a search interface allowing buyers to filter by domain, country, or specific credential types.
2easy emerged as a major marketplace following the decline of Genesis Market after law enforcement action in 2023, hosting millions of compromised credentials with a user-friendly interface for searching and purchasing logs.
Telegram channels increasingly serve as both marketplace and distribution platform. Private channels advertise fresh logs, often organized by target organization or credential type. Telegram's encrypted messaging and lack of centralized oversight make it attractive for threat actors seeking alternatives to web-based marketplaces.
Who's Buying
Credential Stuffing Operators
Buy logs in bulk for automated account takeover campaigns against streaming services, e-commerce, and subscription platforms.
Targeted Attackers
Search for specific corporate domains, filtering marketplaces for credentials to particular organizations. Pay premium for confirmed access.
Cryptocurrency Thieves
Target logs containing wallet data for immediate financial theft. No waiting — wallets get drained within minutes.
Initial Access Brokers
Purchase corporate credentials ($50–500) and resell access to ransomware operators for $5,000–50,000 depending on the target.
The Exploitation
By hour 48, the credentials are in use. Automated tools test stolen credentials against thousands of websites. VPN credentials provide direct access to corporate environments. Stolen session cookies bypass authentication entirely — the system sees a valid session, no login attempt, no MFA prompt, no anomaly. Cryptocurrency wallets get drained immediately. Corporate infrastructure credentials bought for $500 get resold to ransomware operators for $50,000.
The Detection Problem
Traditional security monitoring sees legitimate authentication. Logs show successful logins from residential IPs. No malware on corporate infrastructure. No intrusion detection alerts. The compromise happened outside your visibility — the exploitation looks like normal user activity.
The Whiteintel Approach: Monitoring the Marketplace
Your security tools can't see what happens on an employee's personal laptop. They can't detect when an infostealer harvests credentials from an unmanaged device at home. But they can monitor where those credentials end up.
Latest Infostealer Logs
Credentials harvested from infected endpoints within actionable timeframes. Alerts come while you can still revoke access and investigate the compromised device.
Active Combolists
Credential pairs currently being tested against your authentication systems in active stuffing campaigns.
Database Leaks
Credentials originating from third-party applications that include enterprise users — mapped to your organization.
The Whiteintel Response Window
Traditional breach monitoring alerts you months after a database breach, long after affected users have changed jobs or reset passwords. Whiteintel alerts you while the credentials are fresh and actively being sold. The difference is responding before exploitation, not after.
Are Your Employees' Credentials Already for Sale?
Whiteintel monitors infostealer marketplaces in real time. Find out if your organisation's credentials are being sold — before attackers act on them.
Check Your Exposure